Has anyone had any issues deploying Exchange 2016 servers in a "DMZ" behind the Palo Alto firewall?
Microsoft does not support this configuration and their preferred architecture is to put the Exchange servers in the internal network. Because these Exchange servers are public facing, we are pushing to have the servers set up in our DMZ.
What you are attempting to do is the right approach, in my opinion. The logs are your best friend when it comes to this. Check for any traffic not getting to where it needs to go. I always put a DENYALL rule as the last rule so I can see clearly if it is being hit by any traffic and adjust or add rules above it.
Hope this helps.
Microsoft doesn't support it because it's a time consuming thing to setup; as long as you have the time to monitor the logs and open the ports that are actually needed you really aren't going to run into any issues. I'm actually not sure why Microsoft really discorages this configuration, I assume because it causes an issue with setting up autodiscover if you don't have the right ports open?
I'm sure they advise against it because they don't want to have their support folks or system level contractors have to worry about something obstructing access. There's also the argument of local Windows firewalls. I personally disagree with the idea of not putting it a segregated environment--especially because as of 2016 Outlook Web Access also runs on the same server. As long as the correct ports (and app-ids) are defined it should work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!